On April 29, 2021, the national legislator in China released the second draft of the Personal Information Protection Law (“PIPL”) to collect public comments until May 28, 2021. The updated draft substantially follows the framework of the first draft, which marks China’s comprehensive system for the protection of personal information, sets forth general rules for the processing and transferring of personal information across China’s borders, and echoes certain mechanisms under the EU’s General Data Protection Regulation (“GDPR”), including application of extraterritorial jurisdiction, with which China would use long-arm jurisdiction to regulate the concerned entities across borders. This approach reflects China’s position that privacy law is an important component of China’s long term strategy on the international stage. In fact, the PIPL expressly contemplates China’s engagement with other jurisdictions (at both the country and regional levels) to try to create “interoperability” with these other privacy systems. Below we summarize key terms of the updated draft PIPL.
- Scope of application
The PIPL applies to the organizations and individuals processing personal information activities of natural persons within the borders of China. It also applies to certain circumstances in handling activities outside the borders of China, including for the purpose of providing products or services to natural persons inside the borders and other circumstances provided by laws or administrative regulations.
- Legal basis for processing personal information
Personal information processors (“PIP”) may only handle personal information when individuals’ consent is obtained or where specific circumstances including fulfilling statutory responsibilities or obligations are satisfied.
- Obligations of PIPs
Chapter 5 of the PIPL requires PIPs to adopt necessary measures to ensure the security of personal information processing. This also includes PIPs outside the borders of China, which are required to establish a dedicated entity or appoint a representative in China to be responsible for matters related to the personal information they handle.
It is noted that PIPs are required to conduct risk assessments prior to certain personal information processing activities, for example, handling sensitive personal information and using personal information to conduct automated decision making.
- Cross-border transfer of personal information
The PIPL requires PIPs to meet at least one of the following conditions for transferring personal information overseas: (1) passing a security assessment by the governmental authority, National Cyberspace Administration (“NCA”); (2) undergoing personal information protection certification in accordance with the rules of the NCA; (3) concluding a standard contract with the foreign transferee formulated by the NCA; or (4) following other conditions regulated by the NCA.
It is worth noting that consent is not expressly called out as a basis for cross-border transfers. The most common basis would seem to be under contract. Additionally, there is a “sovereignty” provision that allows China to prohibit transfers of personal information in response to sanctions imposed by other countries. This is an interesting “commercial” use of privacy law.
- Ongoing regulatory activity
There are a number of places where the PIPL provides an opening for the relevant Ministries to add or change conditions of processing. For example, the NCA’s ability to modify the capacity to undertake cross-border transfers is a significant variable when considering how to create a compliance mechanism to permit such transfers. This Ministerial discretion require a close monitoring of how the PIPL will evolve, and be enforced in the future.
Violation of the PIPL can result in penalties imposed on companies and/or responsible individuals. Fines of up to RMB 1 million could be imposed on companies, and fines of RMB 10,000 to RMB 100,000 could be imposed on responsible individuals.
Under the circumstances of grave unlawful acts, fines could be increased to RMB 50 million or 5% of the company’s annual revenue for companies, and RMB 100,000 to RMB 1 million for responsible individuals.
Once the PIPL is announced to take effect, it would be the first comprehensive law to govern personal information security in China. Considering the significant potential penalties under the PIPL and its long-arm jurisdiction mechanism, we suggest multinationals who have a business presence in China get ready for the release of China’s “GDPR” by planning for employee training as well as adapting internal policies.